Home/Capabilities/Serverless

Serverless for federal, event-driven by design.

Lambda on GovCloud. Azure Functions on Azure Government. Cloud Run on Assured Workloads. Step Functions, EventBridge, Durable Functions, Workflows. Pay for work done, not idle time.

Discuss your event-driven systemCapabilities statement

Overview — why serverless matters for federal agencies

Federal workloads are disproportionately bursty. A document ingestion pipeline processes 40,000 filings in a single day and nothing the next. An emergency response API handles 1,000 calls per minute during a hurricane and 10 per minute when the weather is calm. A regulatory reporting job runs on the last business day of the quarter. For workloads with these shapes, running a fleet of VMs sized for peak is expensive idle capacity the rest of the time, and running for average means the system fails when it matters most. Serverless solves the mismatch by billing for the work done rather than the capacity allocated.

AWS Lambda, Azure Functions, and Google Cloud Run are all FedRAMP High authorized in their respective government clouds. Step Functions, EventBridge, SNS, SQS, Azure Logic Apps, Azure Service Bus, Azure Event Grid, Google Cloud Pub/Sub, Eventarc, and Workflows are the orchestration and messaging primitives that turn individual functions into complete event-driven systems. Precision Federal engineers these systems for federal agencies where the economics and operational profile fit.

Our technical stack

LayerTechnologyFederal use
Function runtimes (AWS)Lambda (Node.js, Python, Java, Go, .NET, Ruby, custom runtimes via container image)Pure functions, ETL, API handlers, scheduled jobs
Function runtimes (Azure)Azure Functions (C#, Python, Node, Java, PowerShell), Durable FunctionsStateful orchestrations, long-running workflows
Function runtimes (GCP)Cloud Functions (2nd gen / Cloud Run under the hood), Cloud Run jobsContainer-based functions and batch jobs
Container serverlessCloud Run, AWS App Runner, Azure Container Apps, AWS FargateContainerized HTTP services with scale-to-zero
OrchestrationAWS Step Functions (Standard + Express), Azure Durable Functions, GCP WorkflowsLong-running workflows with retries and human-in-the-loop
Event busEventBridge, Azure Event Grid, EventarcDecoupled event routing
MessagingSQS, SNS, Azure Service Bus, Pub/Sub, Amazon MQDurable messaging, fan-out, FIFO
StreamingKinesis Data Streams, Event Hubs, Pub/Sub, MSK, Amazon MSK ServerlessReal-time telemetry ingestion
API gatewayAPI Gateway (REST and HTTP), Azure API Management, GCP API Gateway, ApigeePublic/private APIs with auth, throttling, mTLS
ObservabilityX-Ray, CloudWatch Logs, Application Insights, Cloud Trace, OpenTelemetryDistributed tracing, cold-start analysis, error tracking
FrameworksAWS SAM, AWS CDK, Serverless Framework, Azure Functions Core Tools, Bicep, Pulumi, TerraformDeclarative deployment
Local devSAM local, LocalStack, Azure Functions Core Tools, Firestore emulatorTest and debug before GovCloud deploy

Federal use cases

  • VA — claims ingestion. Veterans upload PDF claims; S3 event triggers Lambda for Textract OCR, Step Functions orchestrates classification and routing, DynamoDB records state, Lambda pushes to downstream case management.
  • FDA — regulatory filing processor. Pharmaceutical submissions trigger Azure Functions for validation, Durable Functions orchestrate multi-step approval with human review, Event Grid fans out to reviewer notifications.
  • USDA — crop condition ingestion. Satellite imagery lands in Cloud Storage, Eventarc triggers Cloud Run processor, BigQuery stores aggregated features, Workflows coordinates training pipeline.
  • IRS — 1099 reporting aggregation. Annual burst workload: Lambda processes filings from SQS at up to 10,000 concurrent invocations, Step Functions handles retries and dead-letter routing, scales to zero between filing seasons.
  • CBP — traveler screening event pipeline. EventBridge routes screening events to multiple downstream systems, Lambda applies business rules, outcomes published to SNS topics for agency SIEM integration.
  • HHS — ClaimsHub API. API Gateway in front of Lambda backed by DynamoDB, throttled by agency consumer, PrivateLink endpoints for internal connectivity.
  • NASA — data pipeline trigger. S3 raw science data drops trigger Lambda for metadata extraction, Step Functions runs downstream batch on AWS Batch, notifies science team via SNS.
  • DHS / CISA — vulnerability notification fan-out. EventBridge scheduled rules pull CVE feeds, Lambda enriches with agency-specific priority, SNS fans out to agency SOC topics.
  • SBIR prototype backends. Lambda + API Gateway + DynamoDB as the default stack for fast Phase I prototypes — no servers, no containers, under $100/month at prototype scale.
  • FEMA — emergency declaration cascade. Declaration event triggers Step Functions workflow to notify federal agencies, update public map, and provision supplemental compute capacity.

Reference architectures

Reference 1: Document ingestion pipeline in GovCloud

S3 bucket in us-gov-west-1 with object-level CloudTrail and SSE-KMS receives incoming filings. S3 Event Notification publishes to EventBridge, which routes to a Step Functions Standard workflow. The workflow invokes Lambda for Textract OCR, Lambda for classification (calling a SageMaker endpoint or Bedrock in GovCloud), Lambda for business validation, and a final Lambda to write to DynamoDB + push to SQS for downstream agency systems. Failed steps route to a dead-letter SQS queue with a Lambda processor that logs to CloudWatch and opens a Jira ticket via EventBridge. Every Lambda has tight IAM (one role per function, least-privilege policies), VPC attachment via ENIs for PrivateLink to Textract, and a reserved concurrency cap to prevent runaway cost.

Reference 2: Stateful workflow on Azure Government

Azure Functions Premium Plan in Azure Government with VNet integration, backed by Durable Functions for stateful orchestration. Incoming submissions hit an APIM-fronted HTTP trigger, starting an orchestrator function that calls activity functions for validation, approval routing (with human-in-the-loop via a wait-for-external-event pattern), and final persistence to Cosmos DB. Key Vault references for database connection strings, Entra ID Government for API auth, Log Analytics for logs flowing to Microsoft Sentinel, Application Insights for distributed tracing, and Defender for Cloud monitoring function app configuration.

Reference 3: Cloud Run microservices on Assured Workloads

Cloud Run services in a GCP Assured Workloads FedRAMP High folder, each service packaged as a signed container image from Artifact Registry with Binary Authorization enforcing signed-only. Services communicate via Pub/Sub topics with Cloud Run push subscriptions (over internal networking via Private Service Connect). Eventarc routes Cloud Audit Log events and Cloud Storage events to Cloud Run targets. Secret Manager integration injects credentials at cold start. Cloud Logging with Chronicle SIEM integration and Cloud Trace for latency diagnosis. VPC Service Controls perimeter prevents cross-project data exfiltration.

Delivery methodology

  1. Workload shape assessment. Is this workload actually a good serverless fit? Intermittent, event-driven, or API with large burst-to-average ratio? Steady-state CPU-bound services usually do better on containers or VMs.
  2. Service choice. Function-as-a-Service (Lambda/Functions) for micro-workloads; Container-as-a-Service (Cloud Run / App Runner / Container Apps) for HTTP services that want scale-to-zero; Step Functions / Durable Functions / Workflows for orchestration.
  3. IaC scaffold. SAM, CDK, Bicep, Terraform, or Pulumi — pick one per engagement. We prefer CDK or Terraform for federal work because they handle multi-account/subscription concerns cleanly.
  4. Build with local dev in the loop. SAM local, Functions Core Tools, LocalStack, and emulators keep the iteration loop fast before any GovCloud deploy.
  5. Security hardening. Least-privilege IAM per function, VPC attachment where needed, Secrets Manager/Key Vault for secrets, code signing where supported, runtime protection (Lambda Runtime API Proxy, Defender for Cloud).
  6. Observability and cost instrumentation. X-Ray / Application Insights / Cloud Trace, CloudWatch Logs with metric filters, reserved concurrency and min-instance settings documented.
  7. Deployment pipeline. CI/CD with blue-green or canary deploys, function aliases and traffic shifting, automatic rollback on CloudWatch alarm breach.
  8. Continuous monitoring for ATO. Config / Azure Policy / Security Command Center rules for serverless misconfigurations, evidence hooks into FedRAMP package.

Engagement models

  • Fixed-price serverless build. 6–12 weeks to deliver a complete event-driven system with IaC, CI/CD, and operational runbooks.
  • T&M serverless engineering. Ongoing development against a federal application roadmap.
  • SBIR Phase I/II. Serverless-first prototypes for rapid feasibility studies.
  • Prototype-to-production migration. Take a commercial AWS/Azure serverless application and move it to GovCloud / Azure Government with FedRAMP alignment.
  • Cost optimization engagement. Audit existing federal serverless estate for architectural and configuration cost wins.
  • Sub-to-prime. Serverless engineering cell inside a larger federal program.

Maturity model

  • Level 1 — Ad hoc Lambdas. Functions deployed from the console with inline code, broad IAM, no observability.
  • Level 2 — IaC-managed. SAM/CDK/Terraform scaffold, per-function roles, CloudWatch Logs on, basic alarms.
  • Level 3 — Orchestrated and observable. Step Functions for multi-step workflows, X-Ray for distributed tracing, structured logging, reserved concurrency controls.
  • Level 4 — Security-hardened and FedRAMP-aligned. VPC integration, Secrets Manager, code signing, runtime protection, evidence hooks into SSP, DLQs with automated triage.
  • Level 5 — Continuous delivery with progressive deployment. Canary and linear traffic-shift deployments with CloudWatch-alarm-based auto-rollback, feature flags via AppConfig, A/B behavior for operational experimentation.

Deliverables catalog

  • SAM / CDK / Terraform templates for each function and orchestration
  • CI/CD pipeline (CodePipeline, GitHub Actions, Azure DevOps) with gated promotions
  • Step Functions / Durable / Workflows state machines with visualized diagrams
  • Structured logging schema and CloudWatch metric filters
  • X-Ray / Application Insights dashboards
  • Dead-letter queue runbooks with automated triage Lambda
  • IAM least-privilege policy catalog
  • Secrets rotation playbooks
  • Reserved concurrency and cost budget plan
  • Cold-start benchmark and provisioned-concurrency sizing
  • NIST 800-53 control narratives specific to the serverless tier
  • Load test plan (Artillery, k6) with ramp-up patterns

Technology comparison — serverless platforms

DimensionAWS LambdaAzure FunctionsCloud Run
Gov availabilityGovCloud (IL4/IL5)Azure Gov (IL5)Assured Workloads (FedRAMP High, IL4 PA)
Max execution time15 minutesPremium: unlimited; Consumption: 10 min60 minutes (jobs up to 168 hrs)
Cold start mitigationProvisioned ConcurrencyPremium Plan always-readyMin instances
OrchestrationStep Functions (excellent)Durable Functions (excellent)Workflows (solid)
Container supportContainer image up to 10 GBContainer image (Premium/Flex)Container-first (always)
PricingPer-request + GB-secConsumption or Premium PlanPer-request + vCPU/memory time
Best fitAWS-native event-drivenMicrosoft-stack orchestrationContainerized HTTP services

Federal compliance mapping

  • AC-3, AC-6. Per-function IAM roles; Lambda function-URL auth; APIM/API Gateway Lambda authorizers; Entra ID on Functions.
  • AU-2, AU-12. CloudWatch Logs with subscription filters to SIEM; Application Insights to Log Analytics to Sentinel; Cloud Logging to Chronicle.
  • CM-6. AWS Config rule lambda-function-settings-check; Azure Policy built-in Functions policies; Security Command Center misconfig findings.
  • IA-2. OIDC via Cognito, Entra ID, or Identity Platform behind API Gateway / APIM / Load Balancer.
  • SC-7. VPC-attached Lambda, VNet integration for Functions, Cloud Run with VPC egress to private networks.
  • SC-8, SC-13. TLS 1.2+ on all endpoints, FIPS endpoints in GovCloud and GCC High, CMK encryption for logs and function code.
  • SI-4. Lambda Insights / Application Insights / Cloud Monitoring with anomaly detection.
  • SI-7. Lambda code signing profiles; signed container images for Cloud Run / Container Apps / Lambda container images.
  • SR family. SBOMs generated for function packages, Rekor-logged signatures via Cosign where applicable.

Sample technical approach

A federal agency needs an event-driven pipeline to process 15,000 weekly public comments submitted to a regulatory proposal, classify them, extract themes, and produce a summary dashboard. Approach:

  1. Comments submitted via API Gateway HTTP API in GovCloud, behind Cognito-based auth for authenticated submissions and anonymous allowed with reCAPTCHA.
  2. API Lambda writes raw comment to DynamoDB and publishes to EventBridge bus public-comments.
  3. EventBridge rule routes to Step Functions Standard workflow. Workflow executes: Lambda for PII scrub (Comprehend Detect PII), Lambda for sentiment (Comprehend or local model), Lambda for theme classification (SageMaker endpoint), Lambda for storage (DynamoDB update + S3 archive).
  4. Parallel branch: every 1,000 comments, Step Functions invokes an AWS Batch job on Fargate for theme aggregation and dashboard refresh.
  5. Dashboard: API Gateway + Lambda + DynamoDB serving Athena queries over the S3 archive. QuickSight public embed for the mission owner.
  6. Observability: X-Ray tracing across Step Functions and Lambdas, CloudWatch Logs to Splunk, CloudWatch alarms on DLQ depth and workflow failure rate with PagerDuty integration.
  7. Cost: estimated $150/month at 15,000 comments/week. Reserved concurrency caps at 100 per function to contain unintended cost blowup.
  8. ATO: FedRAMP Moderate baseline, Lambda and Step Functions inherit from AWS GovCloud authorization. Customer-responsible controls documented in SSP.

Related capabilities, agencies, contracts, and insights

Serverless pairs with every federal capability we deliver. Cloud foundations: AWS GovCloud, Azure Government, GCP Assured Workloads. Data and AI: data engineering, machine learning, agentic AI. DevSecOps: CI/CD pipelines, Terraform IaC, supply chain security. Compliance and security: FedRAMP engineering, cybersecurity and DevSecOps. Platform: Kubernetes for federal, platform engineering, full-stack development. Agencies: VA, IRS, DHS, USDA, HHS, FEMA, NASA. Contract vehicles: SBIR, SAM.gov. Insights: Lambda GovCloud patterns, Step Functions for federal workflows, Cold start mitigation. Past performance: SAMHSA ML. Resources: Serverless IAM patterns.

Frequently Asked
Federal serverless, answered.
Is serverless appropriate for federal workloads?

Yes, for event-driven, variable, or bursty workloads. Lambda, Azure Functions, and Cloud Run are FedRAMP-authorized in their government variants and inherit High baseline controls. The cost model often beats always-on VMs by 60–90% for intermittent workloads. For steady-state high-utilization workloads, containers or VMs are more economical.

Do Lambda and Azure Functions work in GovCloud and Azure Government?

Yes. AWS Lambda is available in both AWS GovCloud regions with FedRAMP High authorization and DoD SRG IL5 authorization. Azure Functions run in Azure Government at FedRAMP High and IL5. Cloud Run is available in Google Cloud Assured Workloads at FedRAMP High and has IL4 Provisional Authorization.

How do you handle secrets in serverless?

AWS Secrets Manager with Lambda extensions for caching, Azure Key Vault referenced via app settings with Key Vault references, GCP Secret Manager with Cloud Run secret references. Secrets never land in environment variables unencrypted, and rotation is automated on 30/60/90-day cadence depending on the secret type.

Can Step Functions orchestrate federal workflows?

Yes. AWS Step Functions in GovCloud orchestrates long-running federal workflows — claims processing, document ingestion, ETL pipelines — with built-in error handling, exponential retries, parallel execution, and integration with 200+ AWS services. Azure Durable Functions and GCP Workflows provide equivalents. Express workflows run high-volume short-duration work at lower cost.

How do you address the cold-start problem?

Provisioned Concurrency on Lambda, Premium Plan on Azure Functions, minimum instances on Cloud Run. For latency-critical federal user interfaces we allocate warm capacity sized to baseline traffic and use the pay-per-request model only for burst above the baseline. We measure cold-start latency explicitly and include it in SLOs.

Can you put Lambda in a VPC?

Yes. Lambda VPC attachment is standard for federal workloads that need PrivateLink access to RDS, Secrets Manager, internal APIs, or on-premises via Direct Connect. The initialization overhead is modest (sub-second for the warm path) and fully supported by Provisioned Concurrency.

How do you handle long-running workloads?

Step Functions / Durable Functions / Workflows for orchestration across many short function invocations. For compute longer than the function limits (15 min Lambda, 10 min Functions Consumption), we use AWS Batch on Fargate, Azure Container Apps Jobs, or Cloud Run Jobs (up to 168 hours).

Do you use the Serverless Application Repository or AWS SAM?

We use SAM and CDK for AWS-native work, Bicep for Azure, and Pulumi or Terraform for multi-cloud. Serverless Application Repository is occasionally useful for agency-shared components. We avoid framework lock-in where practical.

What is your approach to testing serverless?

Unit tests on pure function logic, integration tests against LocalStack or Azure Functions Core Tools, end-to-end tests in ephemeral AWS accounts or Azure subscriptions spun up by the pipeline and torn down on completion. Load tests with Artillery or k6 before production cutover.

How do you manage serverless cost?

Reserved concurrency caps to bound cost, CloudWatch alarms on concurrent execution and invocation count, cost allocation tags on every resource, Savings Plans for Compute Savings Plans on Lambda, weekly cost reviews, and explicit right-sizing of memory allocation (which directly controls Lambda CPU).

Can serverless handle HIPAA / CUI data?

Yes, with proper configuration. Lambda in GovCloud and Azure Functions in Azure Government inherit FedRAMP High authorization. CMK encryption on logs and environment variables, PrivateLink/VNet egress only, least-privilege IAM, and SSP documentation complete the picture.

Do you do WebSocket and real-time with serverless?

Yes. API Gateway WebSocket APIs with Lambda route handlers, Azure Web PubSub with Functions, or Cloud Run with WebSockets. For higher-scale real-time, we use managed streaming (Kinesis, Event Hubs, Pub/Sub) with Lambda / Functions / Cloud Run consumers.

Related capabilities
Often deployed together.
Capability

AWS GovCloud

Lambda, Step Functions, EventBridge on the IL4/IL5 foundation.
Capability

Kubernetes for Federal

For steady-state workloads that complement serverless bursts.
Capability

Data Engineering

Serverless ETL with Glue, Dataflow, and EventBridge-triggered pipelines.
1 business day response

Serverless, federal-ready.

Lambda, Azure Functions, Cloud Run. Pay for work done, not idle time.

[email protected]
UEI Y2JVCZXT9HP5CAGE 1AYQ0NAICS 541512SAM.GOV ACTIVE